Typically, in a computer network, when a client requests content from a server, the request is sent to the server through a number of intermediary devices, each of which may alter the request in some way, according to rules installed on the intermediary device. Likewise, any response from the server may be subject to revision or processing in accordance with rules established by administrators for networks of which the requesting client is a member. The intent of these various rules, and their embodiment, are commonly known as policies.
Management of the typical request/response process is complicated even in the case of a single client or single network. For example, there are a number of hardware and software computing elements involved, each of which is affected by the policies, thus adding complexity to the management of the process. Further, information required for policy decisions arrives at different times. For example connection information, request information and response information form three discrete “bundles” of information that become available at different times and within different processing subsystems. Thus the typical process is difficult to manage from a timing standpoint. In addition, the typical process is often extended in time, during which the policy rules may change, thus increasing the possibility of conflicting policy versions. U.S. Pat. Nos. 7,447,755 and 7,555,552, both assigned to the assignee of the present invention, address solutions to these and other problems and describe mechanisms to allow for the uniform application of policy across separate processing elements within an intermediary device.
The problems highlighted above are even more complicated in the case of multi-tenancy contexts, where an intermediary device or group of devices configured to apply policies to inbound and outbound traffic of different networks are shared. For example, so-called cloud-based services are becoming popular among network administrators as a way to manage costs and ensure rapid deployment of updated solutions to their network clients. Accordingly, policy enforcement that used to occur at a network intermediary device located at the boundary of a single enterprise network may now be performed by a collection of such devices, still logically located at the boundary of a network, but which are also tasked with similar policy-based operations for many other networks that may or may not be co-owned by the owner of the enterprise network. The policies employed by administrators of the different networks may be different from one another and even in the case of a single network owner, different segments of a commonly owned network may require different policy applications.